1
Artificial Intelligence Helps Put Privacy on
Autopilot
Session 229, February 14, 2018
Pamela Rayne, Practice Group Leader & Chief Legal Counsel Privacy, JHM
Carol Richardson, Privacy Officer, JHM
2
Pamela Rayne, JD
Has no real or apparent conflicts of interest to report.
Carol Richardson
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
About Johns Hopkins Medicine (JHM) and the Johns Hopkins
Privacy Office (JHPO)
Proactive monitoring program
Automated Email Proof of Concept
Lessons Learned
Agenda
4
Recognize how Johns Hopkins Medicine transitioned from a
reactive to proactive privacy monitoring approach by implementing
a clinically-aware and AI-enabled platform that brings together
data from many disparate sources and allows them to zero in on
true threats to patient privacy
Describe the difficulty that Hopkins experienced with resolving
high-volume, low-risk cases of family member privacy violations,
and how they implemented procedures that allowed them to
automate policy oversight and re-educate at scale
Demonstrate the measurable impacts that this automated
approach had on resolving these cases and, more importantly,
how it is supporting an effort to reduce future policy violations
Learning Objectives
5
Headquartered in Baltimore, Maryland, Johns Hopkins Medicine
unites physicians and scientists of the Johns Hopkins University
School of Medicine with the organizations, health professionals and
facilities of The Johns Hopkins Hospital and Health System.
6 academic and community hospitals
4 suburban health care and surgery centers
40+ patient care locations
Home care group and an international division
About JHM
6
JH has a centralized Privacy Office. The mission of the Privacy
Office is to encourage and assist JH covered entities in complying
with the HIPAA privacy regulations, other applicable federal and
state privacy laws, and related Johns Hopkins HIPAA policies and
procedures.
The Privacy Office provides direction and advice over all Johns
Hopkins HIPAA covered entities and functions, for both the Health
System and the University, for both providers and for health plans.
About the Johns Hopkins Privacy (HIPAA)
Office
7
1. Generally, workforce members should access only those
electronic medical records necessary to perform job functions.
2. Specific policy was implemented to address use of electronic
access for non-work purposes.
Policy does not apply to those in a volunteer, temporary staff
or vendor role.
Policy does not include mental health, substance abuse or
billing records.
Policy requires that a workforce member is already an
authorized user of EMR system.
Use of Electronic Medical Records Systems
8
3. Workforce member may access the following electronic medical
records for non-work purposes without any further approval:
his/her own record
child’s record (aged 0-12) or deceased child’s record if child
died as a minor
4. Privacy Office approval needed to access the following electronic
medical records for non-work purposes:
child’s record (aged 13-17) if extenuating circumstances
exist
adult record with HIPAA authorization or legal representative
documentation
Use of Electronic Medical Records Systems
9
New employee training
Annual training
Privacy Campaigns
Bi-Annual Broadcast Messages
Compliance Hotline
Face-to-Face training sessions
Confidentiality Agreement
Proactive Monitoring*
How the JH Privacy Office Educates its
Workforce on How to Protect Patient Data
10
The JH Privacy Office uses an A.I. platform that proactively
monitors access to PHI and assigns a suspicion score to every
access based on:
The workforce members role, location, and historical
behavior
The workforce member’s peers behaviors
The patient’s care team, treatment patterns, encounter
history, and other clinical context
The JHPO receives alerts for accesses that exceed a set
threshold. Those accesses are reviewed by the JH Privacy Office
staff and categorized, after investigation, as a “false positive” or
“violation.”
Feedback from the JHPO trains the A.I. through machine learning
Proactive Monitoring at JH
11
Using a technology platform that relies on A.I. and enables a
proactive approach, Hopkins was able to:
Detect 1600% more cases, many of which never would have
risen to the surface
Reduce the time it takes investigate and resolve cases from
80 minutes to 3-5 minutes, on average
Reduce false positives from 82 to 3%
Proactive Monitoring at JH
12
In general, this platform has a high accuracy rate compared to
random audits or rule-based access log reports (e.g., same last
name)
The problem was that in addition to finding low volumes of high-
risk violations (co-worker snooping, VIP snooping, suspicious
activities), the A.I. was finding high volumes of low-risk violations
(family member (FM) access)
Historical data shows that while family member accesses are
policy violations, they are usually at the request of the patient and
therefore do not result in a HIPAA breach.
Even low-risk violations are investigated, which requires a lot of
resources.
The Problem
13
While many cases were resolved,
the larger volume, lower risk family
member cases weren’t getting the
attention they deserved.
14
How to build a procedure that
allows us automate policy oversight
and re-education at scale
15
1. Automated emails are sent to a controlled number of low-risk FM
that exceed a predetermined suspicion score threshold
2. Email educates workforce member of access policy and request
explanation in 5 business days
3. Automated HIPAA Privacy Alert E-mails receipt and responses
tracked
4. If no response received within 10 days of the email date, which
includes a reminder email, JHPO follows up with workforce
member’s manager using an email template
5. This Proof of Concept accounted for a six-month period
The Procedure
16
Group A No automated Email (Control)
Chance of repeat offense: 69.92%
Group B Automated Email Procedure
Chance of repeat offense: 2.06%
Results
17
Automated Emails Proof of Concept
Email No Email
Third+ Offense
0 730
Second Offense
20 26
First Offense
114 105
Accesses to FM Record
18
Even though not every FM violation
was investigated in the same way
as other violations, the total
number of FM violations declined.
19
Automated Email PoC
0
50
100
150
200
250
300
Jan Feb Mar Apr May Jun
Accesses to FM Record
Number of Emails Sent
Number of Family Member Violations
20
Many workforce members are unable to separate work and
personal life
Workforce members may lack knowledge about policies despite
new employee orientation or annual training
The use of A.I. to automate privacy workflows can increase the
impact of the privacy office and prevent privacy violations
What have we learned?
21
While automating its monitoring and family member policy re-
education procedures encompasses substantial progress for JHM,
the privacy team continues to ask important questions that will push
their program to the next level. These questions include:
Is there an overall decline in privacy violations over time?
How many emails can be sent per week or month?
Will we see a decline in family member accesses over time?
Can automation be used with other types of privacy violations?
What have we learned
22
Pamela Rayne:
prayne1@jhmi.edu
Carol Richardson:
crichar6@jhmi.edu
Don’t forget to complete the online session evaluation
Questions